Here is the cli firewall setup that I decided to use on my Edgerouter-12 (ER-12) to isolate the vlan for my home-assistant and IOT equipment. This equipment is setup to work within my local network. You still need a DHCP service defined on the ER-12, unless it comes from an external source. The basics are:
- the HA-IOT are allowed to access the internet, they need this to connect to the Wyze servers
- the HA-IOT can access each other on the vlan
- the HA-IOT can be accessed by specific laptops located on different vlans
- the HA-IOT are not allowed to modify configuration on the Edgerouter-12 but can get their DNS and DHCP services from the ER-12
- the HA-IOT are not allowed to access any other vlan on the ER-12
- other specific vlans are allowed to access the home-assistant server at the 8123 port (not implemented yet)
First we need a Group of addresses for the RFC-1918 private addresses, control laptops, printer, and the HA-IOT vlan addresses:
set firewall group address-group RFC-1918_GROUP address 192.168.0.0/16
set firewall group address-group RFC-1918_GROUP address 172.16.0.0/12
set firewall group address-group RFC-1918_GROUP address 10.0.0.0/8
set firewall group address-group RFC-1918_GROUP description 'RFC-1918 Group'
set firewall group address-group CONTROL_LAPTOP address <control_laptop_1_IP>
set firewall group address-group CONTROL_LAPTOP address <control_laptop_2_IP>
set firewall group address-group CONTROL_LAPTOP description 'Laptop used for Admin on Network'
set firewall group address-group PRINTER address <printer_IP>
set firewall group address-group PRINTER description 'Printer IP on Network'
set firewall group network-group HA-IOT_GROUP description 'ip addresses in HA-IOT vlan'
set firewall group network-group HA-IOT_GROUP network <HA-IOT_vlan_address_range>/24
Next we need a vif off of switch0 for our vlan:
set interfaces switch switch0 vif <HA-IOT_vlan_tag> address <router_address_on_HA-IOT_vlan>/24
set interfaces switch switch0 vif <HA-IOT_vlan_tag> description HA-IOT
set interfaces switch switch0 vif <HA-IOT_vlan_tag> firewall in name HA-IOT_IN
set interfaces switch switch0 vif <HA-IOT_vlan_tag> firewall local name HA-IOT_LOCAL
set interfaces switch switch0 vif <HA-IOT_vlan_tag> firewall out name HA-IOT_OUT
set interfaces switch switch0 vif <HA-IOT_vlan_tag> ip enable-proxy-arp
The rules for traffic from our HA-IOT vlan to the ER-12 [HA-IOT_IN]:
set firewall name HA-IOT_IN default-action accept
set firewall name HA-IOT_IN description 'Guest In'
set firewall name HA-IOT_IN rule 10 action accept
set firewall name HA-IOT_IN rule 10 description 'accept established and related'
set firewall name HA-IOT_IN rule 10 log disable
set firewall name HA-IOT_IN rule 10 protocol all
set firewall name HA-IOT_IN rule 10 state established enable
set firewall name HA-IOT_IN rule 10 state invalid disable
set firewall name HA-IOT_IN rule 10 state new disable
set firewall name HA-IOT_IN rule 10 state related enable
set firewall name HA-IOT_IN rule 20 action reject
set firewall name HA-IOT_IN rule 20 description 'reject invalid packets'
set firewall name HA-IOT_IN rule 20 log disable
set firewall name HA-IOT_IN rule 20 protocol all
set firewall name HA-IOT_IN rule 20 state established disable
set firewall name HA-IOT_IN rule 20 state invalid enable
set firewall name HA-IOT_IN rule 20 state new disable
set firewall name HA-IOT_IN rule 20 state related disable
set firewall name HA-IOT_IN rule 30 action accept
set firewall name HA-IOT_IN rule 30 description 'allow printer'
set firewall name HA-IOT_IN rule 30 destination group address-group PRINTER
set firewall name HA-IOT_IN rule 30 log disable
set firewall name HA-IOT_IN rule 30 protocol all
set firewall name HA-IOT_IN rule 30 source group address-group CONTROL_LAPTOP
set firewall name HA-IOT_IN rule 40 action accept
set firewall name HA-IOT_IN rule 40 description 'accept HA-IOT traffic'
set firewall name HA-IOT_IN rule 40 destination group network-group HA-IOT_GROUP
set firewall name HA-IOT_IN rule 40 log disable
set firewall name HA-IOT_IN rule 40 protocol all
set firewall name HA-IOT_IN rule 50 action drop
set firewall name HA-IOT_IN rule 50 description 'Block RFC-1918 Traffic'
set firewall name HA-IOT_IN rule 50 destination group address-group RFC-1918_GROUP
set firewall name HA-IOT_IN rule 50 log disable
set firewall name HA-IOT_IN rule 50 protocol all
The rules for traffic from our HA-IOT vlan to the ER-12 itself (DNS, DHCP, other services) [HA-IOT_LOCAL]:
set firewall name HA-IOT_LOCAL default-action drop
set firewall name HA-IOT_LOCAL description 'Guest Local'
set firewall name HA-IOT_LOCAL rule 10 action accept
set firewall name HA-IOT_LOCAL rule 10 description 'accept established and related'
set firewall name HA-IOT_LOCAL rule 10 log disable
set firewall name HA-IOT_LOCAL rule 10 protocol all
set firewall name HA-IOT_LOCAL rule 10 state established enable
set firewall name HA-IOT_LOCAL rule 10 state invalid disable
set firewall name HA-IOT_LOCAL rule 10 state new disable
set firewall name HA-IOT_LOCAL rule 10 state related enable
set firewall name HA-IOT_LOCAL rule 20 action reject
set firewall name HA-IOT_LOCAL rule 20 description 'reject invalid packets'
set firewall name HA-IOT_LOCAL rule 20 log disable
set firewall name HA-IOT_LOCAL rule 20 protocol all
set firewall name HA-IOT_LOCAL rule 20 state established disable
set firewall name HA-IOT_LOCAL rule 20 state invalid enable
set firewall name HA-IOT_LOCAL rule 20 state new disable
set firewall name HA-IOT_LOCAL rule 20 state related disable
set firewall name HA-IOT_LOCAL rule 30 action accept
set firewall name HA-IOT_LOCAL rule 30 description 'Allow DHCP'
set firewall name HA-IOT_LOCAL rule 30 destination port 67
set firewall name HA-IOT_LOCAL rule 30 log disable
set firewall name HA-IOT_LOCAL rule 30 protocol udp
set firewall name HA-IOT_LOCAL rule 30 source port 68
set firewall name HA-IOT_LOCAL rule 40 action accept
set firewall name HA-IOT_LOCAL rule 40 description 'Allow DNS'
set firewall name HA-IOT_LOCAL rule 40 destination port 53
set firewall name HA-IOT_LOCAL rule 40 log disable
set firewall name HA-IOT_LOCAL rule 40 protocol tcp_udp
The rules for traffic from the ER-12 to our HA-IOT vlan [HA-IOT_OUT]:
set firewall name HA-IOT_OUT default-action accept
set firewall name HA-IOT_OUT description 'Guest Out'
set firewall name HA-IOT_OUT rule 10 action accept
set firewall name HA-IOT_OUT rule 10 description 'accept established and related'
set firewall name HA-IOT_OUT rule 10 log disable
set firewall name HA-IOT_OUT rule 10 protocol all
set firewall name HA-IOT_OUT rule 10 state established enable
set firewall name HA-IOT_OUT rule 10 state invalid disable
set firewall name HA-IOT_OUT rule 10 state new disable
set firewall name HA-IOT_OUT rule 10 state related enable
set firewall name HA-IOT_OUT rule 20 action reject
set firewall name HA-IOT_OUT rule 20 description 'reject invalid packets'
set firewall name HA-IOT_OUT rule 20 log disable
set firewall name HA-IOT_OUT rule 20 protocol all
set firewall name HA-IOT_OUT rule 20 state established disable
set firewall name HA-IOT_OUT rule 20 state invalid enable
set firewall name HA-IOT_OUT rule 20 state new disable
set firewall name HA-IOT_OUT rule 20 state related disable
set firewall name HA-IOT_OUT rule 40 action accept
set firewall name HA-IOT_OUT rule 40 description 'accept HA-IOT traffic'
set firewall name HA-IOT_OUT rule 40 log disable
set firewall name HA-IOT_OUT rule 40 protocol all
set firewall name HA-IOT_OUT rule 40 source group network-group HA-IOT_GROUP
set firewall name HA-IOT_OUT rule 50 action drop
set firewall name HA-IOT_OUT rule 50 description 'Drop Non-Guest Traffic'
set firewall name HA-IOT_OUT rule 50 log disable
set firewall name HA-IOT_OUT rule 50 protocol all
set firewall name HA-IOT_OUT rule 50 source group address-group RFC-1918_GROUP
